Method for electing aggregator nodes in a network

ABSTRACT

A method for electing aggregator nodes in a network, wherein the network includes a plurality of sensor nodes to measure data, and at least one of the sensor nodes functioning as aggregator node to aggregate sensored data obtained by at least a subset of the sensor nodes, the network further including at least one sink node to collect data aggregated by the aggregator nodes, the method including: establishing pairwise secret keys between a current aggregator node and each sensor node of the subset of sensor nodes; at each of the sensor nodes of the subset, choosing a random number and encrypting the random number using the established key; providing a communication chain between the sensor nodes of the subset and summing the encrypted random numbers of all sensor nodes of the subset; and determining a new aggregator node on the basis of the resulting sum according to a predefined calculation scheme.

The present invention relates to a method for electing aggregator nodesin a network, wherein the network comprises a plurality of sensor nodesto measure data, and wherein at least one of the sensor nodes functionsas aggregator node to aggregate sensored data obtained by at least asubset of the sensor nodes, and wherein the network further comprises atleast one sink node to collect data aggregated by the aggregator nodes.

Methods as mentioned above are well known in practice and are of specialimportance in the context of wireless sensor networks (WSNs). WSNs aread-hoc networks, composed of small sensors with limited computation andenergy capacities.

All sensors of a sensor network are sensor nodes which communicate in awireless way and which consist in general of a probe, a processing unit,a communication device and a battery. The sensor nodes comprise thefunctionality of data acquisition, communications and computation on aminimum of space. Due to their limited capacities sensor nodes, ingeneral, don't comprise a tamper resistant unit.

Wireless sensor networks are becoming increasingly popular in manyspheres of live. To provide examples where sensor networks are used,monitoring and controlling machines, controlling (intra- andextra-corporal) health parameters or environment monitoring (liketemperature, humidity and seismic activity) should be mentioned here.The range of application possibilities for sensor networks is almostinfinite, though. In specific fields, such as examining thecontamination of water or weather forecasting, for example, it isextremely advantageous that the sensor nodes can be realized inminiature size and that they can easily be fixed and used in regionshard to access.

Critical parameters restricting under certain circumstances theapplication possibilities of sensor networks are in particularphysically defined factors of the single sensor nodes, such as, forinstance, the reach of their sender, processor power, battery capacity,existing storage space and the like. Since the single sensor nodes—incontrast to the sink node where the sensored data comes together—arephysically restricted in many ways, the energy-efficient organization ofthe sensor network is of outstanding importance. In this context itfirst has to be stated that the transmission of all the sensored data tothe sink node would cause by far too much data traffic, so the data isusually accumulated first within the network at special sensor nodesfunctioning as so called aggregator nodes. Sending all the sensored datato its final destination would result in a lifetime which would beunacceptably short since the energy consumption of the devices, i.e. thesensor nodes, during sending increases in a linear way with the amountof data to send.

In general, the lifetime of wireless sensor networks is divided intoepochs with each epoch having a specific duration. An aggregator node isusually elected for the duration of one epoch during which it receivesdata from other sensor nodes, does in-network processing on these dataand forwards the resulting data. For the next epoch a new sensor node iselected as aggregator node.

One major objective of an aggregator node election mechanism is toflatly balance the remaining energy resources of the single sensor nodesof the network. Consequently, sensor nodes with higher remaining energyresources should preferably be elected for the next epoch within theWSN.

On the other hand, with respect to malicious behavior it is important totake into account that there are some good reasons for sensor nodes tocheat during an aggregator election process. Motivation for cheating maybe twofold: On the one hand sensor nodes may have an interest to notbecome aggregator node since they do not want to waste their remainingenergy. On the other hand sensor nodes may have a contrarian interest,i.e. an interest to become aggregator node, since they intend to spy outas many data as possible.

It is therefore an object of the present invention to improve andfurther develop a method of the initially described type for electingaggregator nodes in a network in such away that the aggregator nodeelecting process is secure, trustable and fair in the sense that asingle sensor node is not enabled to manipulate the electing process inwhatever direction.

In accordance with the invention, the aforementioned object isaccomplished by a method comprising feature of claim 1. According tothis claim, such a method is characterized in

-   -   establishing pairwise secret keys between a current aggregator        node and each sensor node of the subset of sensor nodes from        which the current aggregator node obtains sensored data;    -   at each of the sensor nodes of said subset, choosing a random        number and encrypting the random number using the established        key;    -   providing a communication chain between the sensor nodes of said        subset and summing the encrypted random numbers of all sensor        nodes of said subset; and    -   determining a new aggregator node on the basis of the resulting        sum according to a predefined calculation scheme.

According to the invention it has first been recognized that anymanipulation, whatever the concrete motivation of a cheating sensor nodemay be, can be prevented when the whole election processes is carriedout in a fully randomized way. Moreover, it has being found that arobust aggregation node election process with respect to cheating sensornodes is the one where a sensor node's input to the decision process isas good as the input of any other involved sensor node. In accordancewith the invention the election process is not based on any concreteelection metric and attackers can't feed profitable values into thedecision process in order to influence the aggregator node election in acontrolled way.

As regards the key agreement between the current aggregator node andeach sensor node of the subset of sensor nodes from which the currentaggregator node obtains sensor data, the current aggregator node canbroadcast a multitude of data pairs, each data pair comprising a keyk_(i) and an identifier ID_(i), respectively, in a concealed manner toall sensor nodes of this subset. Each sensor node of the subset can thenchoose randomly one data pair from the multitude of data pairs and breakthe concealment to obtain the key k_(i). This procedure, which isknown—as seen by itself—as Merkle's Puzzle, allows for the establishmentof pairwise secret keys between the aggregator node and each sensornode, i.e. the sensor nodes among themselves do not know the keys theother sensor nodes agreed upon.

The concealment of the broadcasted data pairs can be achieved by way ofan encryption. With respect to a low computational effort for the sensornodes to break the encryption it is advantageous to choose a lightweightencryption. Concretely, it would be possible to use a weak block cipher,for example RC5.

As sending data is a very costly operation, the number of data pairsbroadcasted by the current aggregator node is specified, in anadvantageous manner, according to given security requirements.Concretely, if one expects attackers that possess rather lowcapabilities it is sufficient to broadcast fewer data pairs than itmight be in the case of a more powerful and potential attacker. On theassumption that the performance ratio of an attacker versus sensor nodesis available a security level is exactly measurable and the requirednumber of broadcasted data pairs (as well as the strength of the appliedencryption) can be exactly determined.

As a last step in the context of the key agreement it can be providedthat each sensor node broadcasts the identifier of its chosen data pair.The broadcasted identifier can serve as a commitment so that each sensornode is able to check whether the other sensor nodes act conformably.

As regard the summation process, it is possible that a certain order ofthe sensor nodes within the communication chain is defined. For example,an order can be determined according to the distance of the sensor nodesto the current aggregator node. This process could be conductedaccording to a predefined protocol. Alternatively, the order could bedetermined dynamically or according to IDs of the sensor nodes.According to a further alternative the order is simply determined on thepart of the current aggregator node, although, on the part of thecurrent aggregator node, this method allows for certain exertion ofinfluence on the election process.

In an especially advantageous manner, the encryption scheme E used forencrypting the random numbers r_(i) under the keys k_(i) is homomorphicboth with respect to the random numbers r_(i) and to the key k_(i). Thismeans that

E(k,r)+E(k,r′)=E(k+k′,r+r′).

Concretely, a homomorphic encryption scheme as proposed by C.Castelluccia, E. Mykletun, and G. Tsudik in “Efficient Aggregation ofencrypted data in Wireless Sensor Networks” could be employed.

In order to give each sensor node the possibility to check that theaggregator node election process has being carried out correctly andthat neither the current aggregator node nor any other sensor node hascheated the current aggregator node can reveal all established keysafter the summation of the encrypted random numbers is completed. Whenthe established keys are broadcasted by the current aggregator node eachsensor can firstly check whether its own established key resides amongthe broadcasted keys. Additionally, it could be demanded that theaggregator also reveals which key fits to which concealed pairbroadcasted at the beginning. This would prevent the collaboration ofthe aggregator with a malicious node to introduce new keys after the keyagreement phase is over. Secondly, each sensor node can sum theestablished keys and apply the resulting sum as a key to decrypt the sumof the encrypted random values. This operation is possible due to thedouble homomorphic characteristic of the employed encryption scheme. Onthe basis of the result of the decryption the new aggregator node can bedetermined.

As regards a further prevention of cheating, a time span Δt can bedefined giving the maximum allowed time span between the moment ofbroadcasting the data pairs by the current aggregator node and themoment of broadcasting the established keys. This feature takes intoconsideration that the current aggregator node can only cheat in ameaningful manner if it is aware of the final encrypted sum of therandom values of all involved sensor nodes. By pre-configuring Δt asspecified above one can clearly restrict the remaining time for thecurrent aggregator node to cheat by modifying keys in a meaningful way.

To avoid any collaboration between the current aggregator node and oneof the sensor nodes it can be provided that the election process isaborted and restarted form the beginning if at least one sensor noderegisters any irregularities. For example, an abortion and restart ofthe election process can be performed if one of the sensor nodesregisters that the current aggregator node broadcasts anything else thanthe actual established keys.

There are several ways how to design and further develop the teaching ofthe present invention in an advantageous way. To this end, it is to bereferred to the patent claims subordinate to patent claim 1 on the onehand, and to the following explanation of a preferred example of anembodiment of the invention illustrated by the FIGURE on the other hand.In connection with the explanation of the preferred example of anembodiment of the invention by the aid of the FIGURE, generallypreferred embodiments and further developments of the teaching will beexplained.

In the drawings:

The only FIG. is a schematic view of an embodiment of an applicationscenario of a method according to the invention for electing aggregatornodes in a network.

Referring more particularly to the drawings, the only FIG. depicts anapplication scenario of a method according to the invention. The FIG.shows—as a scheme—a sensor network 1 with a multitude of sensor nodesbeing labeled according to their number by S₁ to S_(n). The datasensored by the sensor nodes S₁ to S_(n) is aggregated by an aggregatornode A_(t). Usually upon the request from a sink node 2—which is, incontrast to the sensor nodes S_(i) and the aggregator node A_(t), aspecific device with sufficiently extensive physical resources—, theaggregator node A_(t) forwards the aggregated data to the sink node 2.For reasons of clarity, in the FIG. only one single aggregator nodeA_(t) is shown and no intermediate nodes between A_(t) and the sink node2 exist.

The sensor network 1 is shown in the status of an epoch t in which thesensor node labeled as A_(t) functions as aggregator node. At thebeginning of the next epoch t+1 a protocol starts to randomly elect oneof the sensor nodes S₁ to S_(n) to be the next aggregator node A_(t+1).The aggregator node election process, in principal, can be distinguishedin three phases:

The first phase is the key agreement phase. The goal of this phase is toestablish pairwise secret keys between the current aggregator node A_(t)and each sensor node S_(i). For this purpose aggregator node A_(t)applies the so called Merkle's Puzzle to establish pairwise keys k_(i)with each of the sensor nodes S₁, . . . , S_(n). During this process,each sensor node S_(i) broadcasts an identifier ID_(i) connected to itskey k_(i) which can be used as a commitment to this key afterwards ifneeded. Since the aggregator election process lasts only for a welldefined short time interval, the security provided by the Merkle Puzzleonly need to hold for this time. In the FIG. the key agreement isindicated by the dotted lines with arrows at both ends thereof.

After the key agreement is completed a second phase of the aggregatornode election process is carried out. The goal of this second phase isto securely compute the sum of the sensors' contribution to the electionprocess. Secure hereby means that the no node sees the contribution ofany other node before the computation of the sum is over, preventing anycheater to influence the outcome in a controlled way.

Each sensor node S_(i) chooses its random contribution r_(i) to theelection process and encrypts it with E and k_(i). E(k, r) denotes theencryption of r under a key k by an encryption scheme E that ishomomorphic in k and r. This means that

E(k,r)+E(k′,r′)=E(k+k′,r+r′).

Each sensor node S_(i) combines the result with the encrypted randomcontribution coming from other sensor nodes S_(i). More precisely, acommunication chain between the nodes is provided, that is S₁ reports toS₂, S₂ to S₃, and so on. Concretely, when S_(i) receives

SUM_(i−1) =E(k ₁+ . . . +r₁+ . . . +r_(i−1)),

it computes

SUM_(i) =E(k _(i) ,r _(i))+SUM _(i−1) =E(k ₁+ . . . +k_(i) ,r ₁+ . . .+r_(i)),

starting at S₁ with SUM₁=E(k₁, r₁). Subsequently S_(i) forwards SUM_(i)to S_(i+1). The process ends when all n nodes have contributed to theencrypted sum of the contributions.

No sensor node S_(i) can cheat in a meaningful manner since it cannotforesee the impact of its own random value r_(i) on the final resultR=r₁+ . . . +r_(n) without knowing the contributions of the other sensornodes S_(i) which would require the knowledge of their keys.

The aggregator node election process is terminated by a third phase. Inthis phase the actual aggregator node A_(t) broadcasts the actual keysto all the sensor nodes S_(i). Each S_(i) decrypts SUM_(n) by computingk=k₁+ . . . +k_(n) and the decryption

D(k,SUM_(n))=R=r ₁+ . . . +r_(n).

The sensor node S_(i) for which it holds that i=R mod n is determined asthe new aggregator node A_(t+1).

Many modifications and other embodiments of the invention set forthherein will come to mind the one skilled in the art to which theinvention pertains having the benefit of the teachings presented in theforegoing description and the associated drawings. Therefore, it is tobe understood that the invention is not to be limited to the specificembodiments disclosed and that modifications and other embodiments areintended to be included within the scope of the appended claims.Although specific terms are employed herein, they are used in a genericand descriptive sense only and not for purposes of limitation.

1. A method for electing aggregator nodes in a network, wherein thenetwork (1) comprises a plurality of sensor nodes (S_(i)) to measuredata, and wherein at least one of the sensor nodes (S_(i)) functions asaggregator node (A) to aggregate sensored data obtained by at least asubset of the sensor nodes (S_(i)), and wherein the network furthercomprises at least one sink node (2) to collect data aggregated by theaggregator nodes (A), the method comprising: establishing pairwisesecret keys (k_(i)) between a current aggregator node (A_(t)) and eachsensor node (S_(i)) of the subset of sensor nodes from which the currentaggregator node (A_(t)) obtains sensored data; at each of the sensornodes (S_(i)) of said subset, choosing a random number (r_(i)) andencrypting the random number (r_(i)) using the established key (k_(i));providing a communication chain between the sensor nodes (S_(i)) of saidsubset and summing the encrypted random numbers (r_(i)) of all sensornodes (S_(i)) of said subset; and determining a new aggregator node(A_(t+1)) on the basis of the resulting sum according to a predefinedcalculation scheme.
 2. The method according to claim 1, wherein thecurrent aggregator node (A_(t)), in the context of the key agreement,broadcasts a multitude of data pairs, each data pair comprising a key(k_(i)) and an identifier (ID_(i)), respectively, in a concealed mannerto all sensor nodes (S_(i)) of said subset.
 3. The method according toclaim 2, wherein each sensor node (S_(i)) of said subset choosesrandomly one data pair from the multitude of data pairs and breaks theconcealment to obtain the key (k_(i)).
 4. The method according to claim2, wherein the concealment of the broadcasted data pairs is achieved byway of a preferably lightweight encryption.
 5. The method according toclaim 4, wherein the broadcasted data pairs are encrypted with a weakblock cipher or using a short key.
 6. The method according to claim 2,wherein the number of data pairs broadcasted by the current aggregatornode (A_(t)) is specified according to given security requirements. 7.The method according to claim 2, wherein each sensor node (S_(i))broadcasts the identifier (ID_(i)) of its chosen data pair as acommitment.
 8. The method according to claim 1, wherein the order of thesensor nodes (S_(i)) within the communication chain is determinedaccording to a well defined rule.
 9. The method according to claim 1,wherein the encryption scheme E used for encrypting the random numbers(r_(i)) under the keys (k_(i)) is homomorphic both with respect to therandom numbers (r_(i)) and to the keys (k_(i)).
 10. The method accordingto claim 9, wherein, after completing the summation of the encryptedrandom numbers (r_(i)), the current aggregator node (A_(t)) broadcaststhe established keys (k_(i)) to all sensor nodes (S_(i)) of said subset.11. The method according to claim 9, wherein each sensor node (S_(i)) ofsaid subset sums the established keys (k_(i)) and applies the resultingsum (k) to decrypt the sum of the encrypted random values (r_(i)). 12.The method according to claim 1, wherein the sensor node (S_(i)) of saidsubset for which it holds that i=R mod n, with R denoting the sum of therandom values (r_(i)) is determined as new aggregator node (A_(t+1)).13. The method according to claim 10, wherein a maximum allowed time Δtis defined between the moment of broadcasting the data pairs and themoment of broadcasting the established keys (k_(i)).
 14. The methodaccording to claim 1, wherein the election process is aborted andrestarted from the beginning if at least one sensor node (S_(i))registers any irregularities.
 15. The method according to claim 4,wherein each sensor node (S_(i)) of said subset chooses randomly onedata pair from the multitude of data pairs and breaks the concealment toobtain the key (k_(i)).
 16. The method according to claim 6, whereineach sensor node (S_(i)) of said subset chooses randomly one data pairfrom the multitude of data pairs and breaks the concealment to obtainthe key (k_(i)).
 17. The method according to claim 7, wherein eachsensor node (S_(i)) of said subset chooses randomly one data pair fromthe multitude of data pairs and breaks the concealment to obtain the key(k_(i)).
 18. The method according to claim 10, wherein each sensor node(S_(i)) of said subset sums the established keys (k_(i)) and applies theresulting sum (k) to decrypt the sum of the encrypted random values(r_(i)).
 19. The method according to claim 11, wherein a maximum allowedtime Δt is defined between the moment of broadcasting the data pairs andthe moment of broadcasting the established keys (k_(i)).
 20. The methodaccording to claim 12, wherein a maximum allowed time Δt is definedbetween the moment of broadcasting the data pairs and the moment ofbroadcasting the established keys (k_(i)).